Skip to main content

Author: Nigel Chisnall

The Risks of Project Risk Management

Project risk management is in itself a rather risky undertaking and the communication of project risk is in need of a major overhaul. In this perspective, Nigel Chisnall considers the current quality of risk communication and examines metaphorical approaches to better visualise project risk when navigating through the project route.

Examples of major contracts diverted at the last moment

Otherwise viable multi-million dollar ICT Infrastructure projects changed direction at the last moment will impact not only on time, cost and quality, but also the reputation of the project team.

  • A large firm having completed a yearlong tender process for a complex ICT managed service selected and announced a preferred supplier. Within days, the supplier posted poor annual financial results. The sourcing team wary of director level perception cancelled the contract and negotiated with the second placed bidder.
  • Another large firm having completed an extensive discovery exercise decided to invest in a new Data Centre in Iceland. Within days, volcanic activity which affected air traffic caused second thoughts and what was a proven solution was ditched in favour of an alternative geographic location with less volcanic risk.

These illustrate how innately human bias is skewed to placing unreasonable weighting on more recent occurrences. Psychologists know how a recent event affects the decision-making process and project scientists and actuaries are aware of the misjudgements that can derive from such events. Project professionals are probably naïve to believe that senior executives behave in this reactionary manner.

Professional conclusion

In these projects, it seems major risks either appeared, or were at least communicated, at the last moment. Wikipedia has no answer but it crisply defines the challenge:

“Risk communication is a complex cross-disciplinary academic field. Problems for risk communicators involve how to reach the intended audience, to make the risk comprehensible and relatable to other risks, how to pay appropriate respect to the audience’s values related to the risk and how to predict the audience’s response to the communication. A main goal of risk communication is to improve collective and individual decision making.”

This got us thinking about the “naïve” aspect of risk communication seen even on major projects. Risk is possibly the most esoteric discipline of the project sciences and managing the unforeseen looks professionally menacing, but with some clear thinking and new communications tools we should be better equipped to communicate uncertainty to different audiences.

Our premise is that risk management is indeed risky, and we need a practical new way to share risk information in the context of the project if we are ever to master it as a professional discipline.

Return to clear thinking

The language of risk is inconsistent across the project sciences, but the CISSP security professional has a helpful logic that seems to hold promise which I illustrate through two stories.

  • A Threat is a circumstance – volcanic ash and poor market perception to annual results are threats to which the project may or may not be exposed
  • Vulnerability is a weakness in the firm making it susceptible to specific threats – if a project will only single source suppliers, it is vulnerable to specific climatic threats or supplier perception threats.
  • A risk or risk event is the combination of a threat and vulnerability and as both a likelihood and impact. Specifically, project risks are risks to the time, cost and quality of the project.
  • The risk, once mitigated, is often termed as a residual risk.

The size (impact x likelihood) is estimated before mitigation and the project risk manager will propose actions or counter measures to reduce the impact and sometimes the likelihood. Should the counter-measures be deemed uneconomical, the project may accept the risk. A risk which actually occurs is more helpfully known as an issue.

Risk communication – the current method

Risks are typically compiled in detailed logs through an initial assessment and on-going review. The log may be distilled into a matrix visualization table. The size of the risk is the multiple of the impact and likelihood and this often reflected as a red/amber/green status of which three risks are illustrated in the following diagram:
chisnell Img01 April3

There are three main issues with this structure:

Firstly, the suggestion of a determined value of a risk such that it becomes a point value on a chart. Sensible actuarial and estimation techniques yield a wide range of possible outcomes. While such professional techniques can improve ‘accuracy’ the numbers generated are rarely scrutinised in this manner. If estimation techniques were used, the dot would be replaced by a ‘probability cloud’.

Secondly, and which has attracted significant academic attention , is the very high impact but very low probability risk – this has been popularized as the black swan and is elusive to representation through a matrix model.

Thirdly, is the difficulty to distinguish mitigated from unmitigated risks.

Improving the current method or exposing its flaws?

An improved visualization will show the movement to the residual risk position and in the following image, all three risks have been mitigated to a less unfavourable position.
chisnell Img02 April3

While there is an improved communication, three new questions now appear relevant to risk communication:

Firstly, are we certain that a residual risk cannot be further mitigated, and what is the incremental impact on time, cost and quality of this further mitigation?

Secondly, by persisting with a point representation of a risk , there is the assumption that the project team knows the firm’s value at risk and has the capability to trade project time, cost and quality in pursuit of diminished risk.

Thirdly, there is no time dimension to this analysis. It’s essentially a moment in time snapshot. While providing a sense of movement, the matrix fails to communicate meaningfully the behaviour of risk over the project term. The last-hour risks in the above stories are unlikely to appear in this type of visualisation.

Creating a matrix is not managing risk. It becomes an end in itself. In fact, the ‘dumbing down’ to a matrix is positively disingenuous, giving the appearance of insight but failing to communicate the need for action. It’s time for a new metaphor that emphasises the project’s movement through time and its dynamic interplay with an environment full of threats.

A new metaphor

We started a conversation with project managers and academic professionals to find a better way to equip the project manager to:

  • Communicate with consistent language
  • Communicate an estimate rather than an ‘exact’ size of a risk (cloud not dot)
  • Show black swans
  • Distinguish mitigated and unmitigated risks
  • Show potential scope for further mitigation
  • Align a risk with its impact on project time, cost and quality
  • Visualize the risk’s time-based characteristics over the project term

We explored a variety of database-generated Infographic formats such as weather maps, pinball machines, airline route maps and ocean crossing. In short we need a new metaphor. While recognising the limits of metaphor, one that seems to hold most promise is the visualisation used by police motorcycle training programs.

Piloting through the risk model

The novice rider is taught to view threats, construction, and other driver unpredictability as threat clouds and the rider is taught to ‘ride defensively’. Our first visualisation might look like this:
chisnell Img03 April3

Police motorcycle training has a powerful, path based, time bound and intuitive thought metaphor of risks as bubbles of (negative) influence. A stretch of road is a time-bound project image and active deviation of bubbles incurs a time cost quality penalty on the project.

Extensions to the metaphor

The most important aspect of this is the visualisation of the interplay of risks which is denied us through logs and matrices. A proper log however has the essential information from which this Infographic could be derived.

This is also a rich picture that shows the project manager actively piloting a project using a project (time- cost- quality) dashboard and positive risk avoidance measures, clearly communicated, rather than being the passive victim of circumstance. Consider this further mock up:
chisnell Img04 April3

A call for action

Would such a risk communication help a project manager avoid the ‘last minute’ events we discussed up front? We suggest it would. The accessibility of the motorcyclist metaphor encourages engagement with the widest range of audiences and an easy visual form in which to consider events from left field.

Why is project risk not communicated in this fluid form? Would the essential data from which this metaphor could be derived be in any detailed risk log and most importantly time-based estimations? Point risks such as end-of-year results or newspaper headlines could be rapidly accommodated into an open ‘risk conversation’.

We need better project risk communications especially as the balance of enterprise spends increases through the project route. The metaphor could be extended to multiple project journeys as a program of journeys – after all, many of the risks are systemic and shared across the portfolio. Additionally, projects may themselves be in conflict and a program level visualisation may be helpful. Finally, the hardest thing is closing the dysfunctional project – visualisation like this can make the ‘close decision’ one in response to business risk.

Don’t forget to leave your comments below.